In a bipartisan effort, the U.S. House of Representatives has passed a new bill designed to increase security for IoT devices. It’s aptly named the IoT Cybersecurity Improvement Act, and it still needs to go through the U.S Senate and to be signed into law by the President of the United States.
More and more countries realize that IoT security is a serious matter, and the United States is following the example of Australia and the United Kingdom in the construction of a legislative framework to regulate this industry.
The IoT Cybersecurity Improvement Act is actually an improved version of an older bill from 2017 the was originally introduced by U.S. Senator Cory Gardner (R-CO) and U.S. Senator Mark Warner (D-VA).
“Most experts expect tens of billions of devices operating on our networks within the next several years as the Internet of Things (IoT) landscape continues to expand,” said Senator Gardner.
“We need to make sure these devices are secure from malicious cyber-attacks as they continue to transform our society and add countless new entry points into our networks, particularly when they are integrated into the federal government’s networks,” he continued.
Unlike some of the other similar initiatives worldwide, the bill would force the federal government to only purchase devices that meet basic requirements to prevent hackers from accessing systems. It’s not trying to regulate what the IoT industry does but force the market from the other end.
In essence, if the bill passed and becomes a law, it would require the National Institute of Standards and Technology (NIST) to issue standards and guidelines addressing, at a minimum, secure development, identity management, patching, and configuration management for IoT devices.
Also, the Office of Management and Budget (OMB) would have to issue strict guidelines and new policies that would need to be reviewed every five years. NIST would have to work directly with cybersecurity experts and industry representatives, along with the Department of Homeland Security (DHS) for coordinated vulnerability disclosures.
For now, it’s unclear what timeline is expected for the law to follow, but given that it’s a bipartisan effort, it shouldn’t take too long before it becomes a reality.